Ahmed Farid
466f75bad8
Update Concepts.qll
2022-03-06 23:53:00 +01:00
Taus
b35718e0d5
Python: Remove uses of getAQlClass
2022-03-04 15:39:27 +00:00
Erik Krogh Kristensen
7691807713
delete the getLastParameter predicate from ApiGraphs
2022-03-04 16:24:54 +01:00
Taus
095f27f294
Python: Remove deprecated annotations
2022-03-04 12:30:26 +00:00
Taus
20710616c5
Python: Fix "use set literal" warnings
2022-03-04 12:26:36 +00:00
Taus
821de636af
Python: Remove redundant inline casts
...
These are all implied by the return type of the other side of the
equality.
2022-03-04 12:21:31 +00:00
Taus
74f0bdfc79
Python: Fix "unused disjunct" warnings
...
For the most part, these boil down to "some global property holds, and
so this relation contains all instances of class `X`". The fix is to
explicitly build the cartesian product (which we were already building
implicitly anyway) by adding `and exists(var)` to the disjunct that did
not mention `var`.
Note that these cartesian products are always with singletons on one
side, and so should be unproblematic.
2022-03-04 12:14:57 +00:00
Rasmus Lerchedahl Petersen
93750fe17f
python: minimal CSRF implementation
...
- currectly only looks for custom django middleware
2022-03-04 12:47:23 +01:00
Rasmus Wriedt Larsen
3f48916e95
Merge pull request #7915 from yoff/python/promote-xpath-injection
...
Python: promote XPath injection query
2022-03-04 11:59:39 +01:00
Rasmus Wriedt Larsen
f620e2599d
Merge branch 'main' into py/add-ssrf-sinks
2022-03-04 11:50:12 +01:00
Rasmus Wriedt Larsen
e47f726e74
Python: Add change-note
2022-03-04 11:48:17 +01:00
Rasmus Wriedt Larsen
75bc532d10
Python: Avoid toString usage :O
2022-03-04 11:41:22 +01:00
Rasmus Wriedt Larsen
866e615689
Python: Add PyPI links in qldocs
2022-03-04 11:40:03 +01:00
Rasmus Wriedt Larsen
02a97b08bb
Python: Move urllib and urllib2 to be part of stdlib modeling
2022-03-04 11:31:47 +01:00
Rasmus Wriedt Larsen
c65839bb77
Python: improve urllib3 modeling
2022-03-04 11:25:14 +01:00
Rasmus Wriedt Larsen
7d6d8be179
Python: Fix httpx modeling
2022-03-04 11:07:51 +01:00
Rasmus Wriedt Larsen
56901ea841
Python: Make new SSRF sink modules private
2022-03-04 11:04:18 +01:00
Rasmus Wriedt Larsen
40feb1fb8d
Python: SPURIOUS results for httpx
2022-03-04 11:03:32 +01:00
yoff
d0a393e8d1
Update python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py
...
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com >
2022-03-04 10:56:53 +01:00
yoff
c514282d4a
Merge pull request #8255 from tausbn/python-nomagic-pattern-getcase
...
Python: Prevent magic/inlining in `getCase`
2022-03-04 10:53:20 +01:00
Rasmus Wriedt Larsen
ef045a6789
Python: Fix typo in set_default_parser
2022-03-04 10:18:30 +01:00
Rasmus Wriedt Larsen
1a9620a87a
Python: Add conditional assignment check for sax parser
2022-03-04 10:16:28 +01:00
Rasmus Wriedt Larsen
f0131afc54
Python: Fix huge_tree modeling
2022-03-04 10:16:28 +01:00
Rasmus Wriedt Larsen
d6cbfec434
Python: huge_tree tests were wrong
...
Nice spotted @jorgectf!
2022-03-04 10:16:28 +01:00
Rasmus Wriedt Larsen
3cd165d5b7
Python: Apply suggestions from code review
...
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com >
2022-03-04 10:15:50 +01:00
Erik Krogh Kristensen
934e06ca3b
fix mistake in argumentPassing. The type-tracking was not required to be in an end state
2022-03-04 09:49:42 +01:00
Jorge
683c2fa825
Apply suggestions from code review
2022-03-04 01:02:56 +01:00
Ahmed Farid
be7c619ca8
Update zipslip_bad.py
2022-03-04 00:48:45 +01:00
Rasmus Wriedt Larsen
3f6c55e8ae
Python: Rename vulnerable predicate => vulnerableTo
2022-03-03 22:09:31 +01:00
Rasmus Wriedt Larsen
0d69dc854c
Python: Minor qldoc improvement
2022-03-03 22:06:26 +01:00
Rasmus Wriedt Larsen
837daaae3b
Python: Remove XMLParser concept
2022-03-03 22:04:48 +01:00
Rasmus Wriedt Larsen
df8e0fce68
Python: Minor fixup of qldoc
2022-03-03 22:02:48 +01:00
Rasmus Wriedt Larsen
c0a6f9f3fd
Python: Restructure lxml modeling
...
and handle parser being passed as positional argument
2022-03-03 22:00:55 +01:00
Rasmus Wriedt Larsen
c0a2c25f5a
Python: Restructure modeling of xml.etree parsers
2022-03-03 21:59:34 +01:00
Rasmus Wriedt Larsen
a033b71eaf
Python: Align QLdocs of XML modeling
2022-03-03 21:34:46 +01:00
Rasmus Wriedt Larsen
de0e67f327
Python: Restructure overall XML modeling
2022-03-03 21:31:15 +01:00
Rasmus Wriedt Larsen
46238d5ea0
Python: Add test for XMLPullParser
...
But handling this in a nice way will require some restructuring
2022-03-03 21:28:46 +01:00
Rasmus Wriedt Larsen
33ebcdf437
Python: Support feed method of lxml/xml.etree Parsers
2022-03-03 21:26:24 +01:00
Rasmus Wriedt Larsen
f72f673e7e
Python: Update XmlEntityInjection.expected
...
I had forgotten about this, but better late than never... also added a
small representative test
2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
3278793972
Python: Handle more functions and kw-args
2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
2451123c67
Python: Move XML PoC to new test dir
2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
c739ae40b6
Python: Port xmltodict tests
2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
0b12d91817
Python: Port xml.sax tests
2022-03-03 21:18:18 +01:00
Rasmus Wriedt Larsen
5fb4c4d152
Python: Port xml.etree tests
2022-03-03 20:51:02 +01:00
Rasmus Wriedt Larsen
a7134cac2e
Python: Port xml.dom tests
2022-03-03 20:39:56 +01:00
Rasmus Wriedt Larsen
faebaee141
Python: Use concept tests for XML Parsing
...
I was loosing my mind from looking through those .expected files
Just going to take it one file at time, to make reviewing easier
2022-03-03 20:36:51 +01:00
Rasmus Wriedt Larsen
4b03f5c724
Python: Rename xml.sax test for consistency
2022-03-03 19:39:32 +01:00
Rasmus Wriedt Larsen
7cda901da2
Python: Add separate query for SimpleXMLRPCServer
...
This was a rough quick-n-dirty query, and should get some qhelp as well at some point.
2022-03-03 19:35:33 +01:00
Rasmus Wriedt Larsen
9406a972cd
Python: Fix vuln detection for xml.minidom with parser arg
2022-03-03 17:52:11 +01:00
Rasmus Wriedt Larsen
5a652480b1
Python: Annotate xml.dom tests
2022-03-03 17:37:25 +01:00
